Upload
bryan-norman
View
227
Download
1
Embed Size (px)
Citation preview
91.580.203 Computer &
Network Forensics
Part I: Computer Forensics
Chapter 2Understanding Computer
Investigation
Xinwen Fu
BIS@DSUDr. Xinwen Fu 2
Outline Prepare a case Conduct an investigation Complete a case Critique a case
BIS@DSUDr. Xinwen Fu 3
Course Outline
Incident occurs: Point-in-Time or Ongoing
pre-incidentpreparation
pre-incidentpreparation
Detectionof
Incidents
Detectionof
Incidents
Initial Response
Initial Response
FormulateResponseStrategy
FormulateResponseStrategy
DataCollection
DataCollection
DataAnalysis
DataAnalysis ReportingReporting
Investigate the incident
ResolutionRecovery
Implement Security Measures
ResolutionRecovery
Implement Security Measures
CSIRT:ComputerSecurityIncident
ResponseTeam
BIS@DSUDr. Xinwen Fu 4
Preparing a Computer Investigation Role of a computer forensics professional
Gather evidence to prove if a suspect committed a crime or violated a company policy
Maintain valid evidence that can be offered in court or at a corporate inquiry
Follow an accepted scientific procedure to prepare a case
BIS@DSUDr. Xinwen Fu 5
Things to Do while Preparing a Case1. Assessing the case2. Planning the investigation3. Securing evidence
BIS@DSUDr. Xinwen Fu 6
1. Assessing the Case Systematically outline the case details:
Nature of the case: public/private Type of evidence Location of evidence
Based on case details, you can determine the case requirements: Computer forensics tools Special OSs
BIS@DSUDr. Xinwen Fu 7
2. Planning your Investigation - Steps
1. Acquire the evidence2. Complete an evidence form and establish a
chain of custody The route the evidence takes from the time you
find it until the case is closed or goes to court Prison break the video tape case: Michael
Scofield and Lincoln Burrows Lincoln Burrows is lured to kill somebody When he pulls out of the gun in a garage, the victim is
already dead All is taped The tape is manipulated so that it seems that Lincoln
fires
BIS@DSUDr. Xinwen Fu 8
Single-Evidence Form
BIS@DSUDr. Xinwen Fu 9
2. Planning your Investigation (Cont.)3. Secure evidence in an approved secure
container4. Transport evidence to a computer forensics lab5. Prepare a forensics workstation6. Obtain the evidence from the secure container7. Make a forensic copy of the evidence8. Return the evidence to the secure container9. Process the copied evidence with computer
forensics tools
BIS@DSUDr. Xinwen Fu 10
3. Securing your Evidence Use evidence bags to secure and catalog the
evidence Use computer safe products
Antistatic bags/pads Use well-padded containers Use evidence tape to seal all openings
Floppy disk or CD drives Power supply electrical cord
Write your initials on tape to prove that evidence has not been tampered
Consider computer-specific temperature and humidity ranges
BIS@DSUDr. Xinwen Fu 11
Objectives Prepare a case Conduct an investigation
Overview Preserving data on floppy disks Preserving data on hard disks Collecting data remotely FTK for disk imaging and analysis
Complete a case Critique a case
BIS@DSUDr. Xinwen Fu 12
Setting Up Specific Workstation for Collecting Evidence Why is DOS needed sometimes for
acquiring data? Windows may contaminate files during
maintenance Set up Windows 98 workstation to boot
into MS-DOS (P. 40) Display a Startup menu Modify Msdos.sys file using any text editor
Install a computer forensics tool DriveSpy and Image
BIS@DSUDr. Xinwen Fu 13
Conducting an Investigation Begin by copying the evidence using a
variety of methods Recall that no single method retrieves all data The more methods you use, the better
BIS@DSUDr. Xinwen Fu 14
Gathering the Evidence Take all necessary measures to avoid
damaging the evidence Place the evidence in a secure container
Complete the evidence custody form Transport the evidence to the computer
forensics lab Create forensics copies (if possible) Secure evidence by locking the container
BIS@DSUDr. Xinwen Fu 15
Understanding Data-Recovery Workstations and Software
Investigations are conducted on a computer forensics lab (or data-recovery lab) Computer forensics and
data-recovery are related but different
Computer forensics workstation Specially configured
personal computer To avoid altering the
evidence, use: Write-blockers devices Forensics boot floppy disk
https://www.digitalintelligence.com/cart/html/FRED-M-System.html
FRED-M System
BIS@DSUDr. Xinwen Fu 16
Objectives Prepare a case Conduct an investigation
Overview Preserving data on floppy disks Preserving data on hard disks Collecting data remotely FTK for disk imaging and analysis
Complete a case Critique a case
BIS@DSUDr. Xinwen Fu 17
Understanding Bit-stream Copies Bit-by-bit copy of the original storage
medium Exact copy of the original disk Different from a simple backup copy
Backup software only copy known files Backup software cannot copy deleted files or e-
mail messages, or recover file fragments
BIS@DSUDr. Xinwen Fu 18
Understanding Bit-stream Copies (Cont.) A bit-stream image file contains the bit-
stream copy of all data on a disk or partition
Preferable to copy the image file to a target disk that matches the original disk’s manufacturer, size, and model
BIS@DSUDr. Xinwen Fu 19
Understanding Bit-stream Copies (Cont.)
BIS@DSUDr. Xinwen Fu 20
Objectives Prepare a case Conduct an investigation
Overview Preserving data on floppy disks Preserving data on hard disks Collecting data remotely FTK for disk imaging and analysis
Complete a case Critique a case
BIS@DSUDr. Xinwen Fu 21
Creating a Forensic Boot Floppy Disk Goal is not to alter the original data on a disk
A computer access files during startup. So what? Preferred way to preserve the original data is to
never examine it Make forensic copies Create a special boot floppy disk that prevents OS from
altering the data when the computer starts up Windows 9x can also alter other files, especially if
DriveSpace is implemented on a file allocation table (FAT) 16 disk
BIS@DSUDr. Xinwen Fu 22
Assembling the Tools for a Forensic Boot Floppy Disk Tools:
Disk editor such as Norton Disk Edit or Hex Workshop
Floppy disk MS-DOS OS Computer that can boot to a true MS-DOS level Forensics acquisition tool Write-block tool
BIS@DSUDr. Xinwen Fu 23
Assembling the Tools for a Forensic Boot Floppy Disk (Cont.) Steps:
Make the floppy disk bootable Update the OS files to remove any reference to
the hard disk (using Hex Workshop or Norton Disk Edit) (P. 50) - in order to prevent the access of c:\
Modify the command.com file on the floppy disk Modify the Io.sys file on the floppy disk to disable
Drivespace Add computer forensic tools Test your floppy disk Create several backup copies
BIS@DSUDr. Xinwen Fu 24
Objectives Prepare a case Conduct an investigation
Overview Preserving data on floppy disks Preserving data on hard disks Collecting data remotely FTK for disk imaging and analysis
Complete a case Critique a case
BIS@DSUDr. Xinwen Fu 25
Retrieving Evidence Data Using a Remote Network Connection Bit-stream image copies can also be
retrieved from a workstation’s network connection
Software: SnapBack EnCase R-Tools
Can be a time-consuming process even with a 1000-Mb connection
It takes less using a NIC-to-NIC connection
BIS@DSUDr. Xinwen Fu 26
Objectives Prepare a case Conduct an investigation
Overview Preserving data on floppy disks Preserving data on hard disks Collecting data remotely FTK for disk imaging and analysis
Complete a case Critique a case
BIS@DSUDr. Xinwen Fu 27
Message of arbitrary length
Hash HA fixed-length short message
Review of Hash Algorithms
Also known as Message digests One-way transformations One-way functions Hash functions
Length of H(m) much shorter then length of m Usually fixed lengths: 128 or 160 bits (16 bytes or
20 bytes)
BIS@DSUDr. Xinwen Fu 28
Applications of Hash Functions Download software from the Internet
Listed MD5 hash on the web Calculated MD5 hash of the download
Hash as the identity of a file GPG4Win - EMail-Security using GnuPG for
Windows http://www.gpg4win.org/
Listed Hash Calculated Hash
Equal or not
BIS@DSUDr. Xinwen Fu 29
Applications of Hash Functions (Cont.) Primary application
Verify digital signature
H H(m)
Verify
Public key (e)
Yes/Nom, dA(H(m))
H’(m)=eA(dA(H(m)))
BIS@DSUDr. Xinwen Fu 30
Copying the Evidence Disk Recall a forensic copy is an exact duplicate
of the original data Create a forensic copy using:
MS-DOS Specialized tool such as Digital Intelligence’s
Imager First, create a bit-stream image Then, copy the image to a target disk
BIS@DSUDr. Xinwen Fu 31
Creating a Bit-stream Image with FTK Imager
Functions Create the image of a physical drive Extract the image from a bit-stream image file Analyze the image
Forensic Software Downloads, link Forensic Toolkit®(FTK™) version FTK Imager version or FTK Imager Lite
version 1 Known File Filter Library File version (not
necessary)
BIS@DSUDr. Xinwen Fu 32
Creating a Bit-stream Image with FTK Imager (Cont.) Start Forensic Toolkit (FTK) Imager by double-
clicking the icon on your desktop Click File, Image Drive from the menu; insert
floppy disk labeled “Domain Name working copy #2”
In the dialog box that opens, click the A: drive to select a local drive, then click OK
A wizard walks you through the steps Accept all the defaults Specify the destination folder If necessary, create a folder called Forensics Files Name the file Bootimage.1
BIS@DSUDr. Xinwen Fu 33
FTK Imager: Create Image
BIS@DSUDr. Xinwen Fu 34
FTK Imager: Read Image
BIS@DSUDr. Xinwen Fu 35
Analyzing Your Digital Evidence by Forensic Toolkit®(FTK™) Your job is to recover data from:
Deleted files File fragments Complete files
Deleted files linger on the disk until new data is saved on the same physical location
Tools: Digital Intelligence’s DriveSpy AccessData’s FTK
BIS@DSUDr. Xinwen Fu 36
Analyzing Your Digital Evidence (Cont.)
BIS@DSUDr. Xinwen Fu 37
BIS@DSUDr. Xinwen Fu 38
In-Class Exercise1. Form the group2. Check the checksums (MD5 and SHA1) of
the downloaded gpg4win-1.1.3.exe by using WinPT within gpg4win
3. Play with FTK and search around the image
BIS@DSUDr. Xinwen Fu 39
Objectives Prepare a case Conduct an investigation Complete a case Critique a case
BIS@DSUDr. Xinwen Fu 40
Completing the Case You need to produce a final report
State what you did and what you found You can even include logs from the
forensic tools you used If required, use a report template The report should show conclusive
evidence that the suspect did or did not commit a crime or violate a company policy
BIS@DSUDr. Xinwen Fu 41
Objectives Prepare a case Conduct an investigation Complete a case Critique a case
BIS@DSUDr. Xinwen Fu 42
Critiquing the Case Ask yourself the following questions:
How could you improve your participation in the case?
Did you expect the results you found? Did the case develop in ways you did not
expect? Was the documentation as thorough as it could
have been?
BIS@DSUDr. Xinwen Fu 43
Critiquing the Case (Cont.) Questions continued:
What feedback has been received from the requesting source?
Did you discover any new problems? What are they?
Did you use new techniques during the case or during research?